skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Making Access Control Easy in IoT
Secure installation of Internet of Things (IoT) devices requires configuring access control correctly for each device. In order to enable correct configuration Manufacturer Usage Description (MUD) has been developed by Internet Engineering Task Force (IETF) to automate the protection of IoT devices by micro-segmentation using dynamic access control lists. The protocol defines a conceptually straightforward method to implement access control upon installation by providing a list of every authorized access for each device. This access control list may contain a few rules or hundreds of rules for each device. As a result, validating these rules is a challenge. In order to make the MUD standard more usable for developers, system integrators, and network operators, we report on an interactive system called MUD-Visualizer that visualizes the files containing these access control rules. We show that, unlike manual analysis, the level of the knowledge and experience does not affect the accuracy of the analysis when MUD-Visualizer is used, indicating that the tool is effective for all participants in our study across knowledge and experience levels.  more » « less
Award ID(s):
1916635
PAR ID:
10296081
Author(s) / Creator(s):
; ; ; ;
Date Published:
Journal Name:
IFIP advances in information and communication technology
Volume:
613
ISSN:
1868-4238
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ; ; (, SaSeIoT)
    null (Ed.)
    . Manufacturer Usage Description (MUD) is an Internet Engineering Task Force (IETF) standard designed to protect IoT devices and networks by creating an out-of-the-box access control list for an IoT device. Access control list of each device is defined in its MUD-File and may contain possibly hundreds of access control rules. As a result, reading and validating these files is a challenge; and determining how multiple IoT devices interact is difficult for the developer and infeasible for the consumer. To address this we introduce the MUD-Visualizer to provide a visualization of any number of MUD-Files. MUD-Visualizer is designed to enable developers to produce correct MUD-Files by providing format correction, integrating them with other MUD-Files, and identifying conflicts through visualization. MUD-Visualizer is scalable and its core task is to merge and illustrate ACEs for multiple devices; both within and beyond the local area network. MUD-Visualizer is made publicly available and can be found in GitHub. 
    more » « less
  2. ; ; (, HotEdge: A Usenix ATC Workshop)
    null (Ed.)
    Manufacturer Usage Description (MUD) is a proposed IETF standard enabling local area networks (LAN) to automatically configure their access control when adding a new IoT device based on the recommendations provided for that device by the manufacturer. MUD has been proposed as an isolation-based defensive mechanism with a focus on devices in the home, where there is no dedicated network administrator. In this paper, we describe the efficacy of MUD for a generic IoT device under different threat scenarios in the context of the Fog. We propose a method to use rate limiting to prevent end devices from participating in denial of service attacks (DDoS), including against the Fog itself. We illustrate our assumptions by providing a possible real world example and describe the benefits for MUD in the Fog for various stakeholders. 
    more » « less
  3. ; ; (, WIREs Data Mining and Knowledge Discovery)
    Abstract Rapid advances in the Internet‐of‐Things (IoT) domain have led to the development of several useful and interesting devices that have enhanced the quality of home living and industrial automation. The vulnerabilities in the IoT devices have rendered them susceptible to compromise and forgery. The problem of device authentication, that is, the question of whether a device's identity is what it claims to be, is still an open problem. Device fingerprinting seems to be a promising authentication mechanism. Device fingerprinting profiles a device based on information available about the device and generate a robust, verifiable and unique identity for the device. Existing approaches for device fingerprinting may not be feasible or cost‐effective for the IoT domain due to the resource constraints and heterogeneity of the IoT devices. Due to resource and cost constraints, behavioral fingerprinting provides promising directions for fingerprinting IoT devices. Behavioral fingerprinting allows security researchers to understand the behavioral profile of a device and to establish some guidelines regarding the device operations. In this article, we discuss existing approaches for behavioral fingerprinting of devices in general and evaluate their applicability for IoT devices. Furthermore, we discuss potential approaches for fingerprinting IoT devices and give an overview of some of the preliminary attempts to fingerprint IoT devices. We conclude by highlighting the future research directions for fingerprinting in the IoT domain. This article is categorized under:Application Areas > Science and TechnologyApplication Areas > InternetTechnologies > Machine LearningApplication Areas > Industry Specific Applications 
    more » « less
  4. ; ; (, International Conference on Network of the Future (NoF))
    The security of Internet-of-Things (IoT) devices in the residential environment is important due to their widespread presence in homes and their sensing and actuation capabilities. However, securing IoT devices is challenging due to their varied designs, deployment longevity, multiple manufacturers, and potentially limited availability of long-term firmware updates. Attackers have exploited this complexity by specifically targeting IoT devices, with some recent high-profile cases affecting millions of devices. In this work, we explore access control mechanisms that tightly constrain access to devices at the residential router, with the goal of precluding access that is inconsistent with legitimate users' goals. Since many residential IoT devices are controlled via applications on smartphones, we combine application sensors on phones with sensors at residential routers to analyze workflows. We construct stateful filters at residential routers that can require user actions within a registered smartphone to enable network access to an IoT device. In doing so, we constrain network packets only to those that are consistent with the user's actions. In our experiments, we successfully identified 100% of malicious traffic while correctly allowing more than 98% of legitimate network traffic. The approach works across device types and manufacturers with straightforward API and state machine construction for each new device workflow. 
    more » « less
  5. ; ; ; ; ; (, IEEE Transactions on Industrial Informatics)
    Internet of Things (IoT) devices have been widely adopted in recent years. Unlike conventional information systems, IoT solutions have greater access to real-world contextual data and are typically deployed in an environment that cannot be fully controlled, and these circumstances create new challenges and opportunities. In this article, we leverage the knowledge that an IoT device has about its network context to provide an additional security factor. The device periodically scans a network and reports a list of all devices in the network. The server analyzes movements in the network and subsequently reacts to suspicious events. This article describes how our method can detect network changes, retrieved only from scanning devices in the network. To demonstrate the proposed solution, we perform a multi-week case study on a network with hundreds of active devices and confirm that our method can detect network anomalies or changes. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email